DOJ charges Russian GRU hackers for global malware campaigns

Investigators said the six officers in Unit 74455 of the Russian Main Intelligence Directorate, or “GRU,” who face charges “engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: Ukraine; Georgia; elections in France; efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort.”

“No country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia, wantonly causing unprecedented collateral damage to pursue small tactical advantages in fits of spite,” Assistant Attorney General for National Security John Demers said. “Today the Department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware. No nation will recapture greatness while behaving in this way.”

Robert Mueller’s special counsel investigation named two GRU units, Unit 74455 and 26165, as being behind Russia’s election interference efforts during the 2016 presidential election, including the hacking of the Democratic National Committee’s email systems and the provision of the purloined emails to WikiLeaks for dissemination. One of the GRU officers named by the Justice Department on Monday, Anatoliy Kovalev, was indicted in Mueller’s investigation and is now indicted for his alleged role in targeting French elections, too.

Demers noted that this GRU unit, also known as the Sandworm Team, was involved in 2016 election meddling in the U.S., but he stressed that “we make no election interference allegations,” instead stressing that the charges “illustrate how Unit 74455’s election activities were but one part of the work of a persistent, sophisticated hacking group busy sabotaging perceived enemies or detractors of the Russian Federation.”

The Justice Department said the NotPetya malware used by Russian military intelligence “spread worldwide, damaged computers used in critical infrastructure, and caused enormous financial losses” and noted that in the U.S., the Russian cyberattacks “impaired Heritage Valley’s provision of critical medical services to citizens of the Western District of Pennsylvania through its two hospitals, 60 offices, and 18 community satellite facilities” and “caused the unavailability of patient lists, patient history, physical examination files, and laboratory records.” The Justice Department also said Heritage Valley “lost access to its mission-critical computer systems (such as those relating to cardiology, nuclear medicine, radiology, and surgery) for approximately one week and administrative computer systems for almost one month, thereby causing a threat to public health and safety.”

The NotPetya malicious code allegedly caused $10 billion in damage worldwide — the most destructive malware in history — with three U.S. businesses losing an estimated $1 billion, including costing a FedEx affiliate $400 million and a pharmaceutical company $500 million.

[Read more: UK says Russian hackers attacked COVID-19 vaccine research firms]

The charges of conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, the commission of wire fraud, intentional damage to protected computer systems, and aggravated identity theft carry maximum sentences of five, 20, 20, 10, and 2 years in prison respectively, many of which could be longer due to the additional allegations of false registration of domain names which could increase the maximum sentences. The Russian hackers are not in U.S. custody and are believed to be at-large overseas.

“The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” FBI Deputy Director David Bowdich said. “But this indictment also highlights the FBI’s capabilities. We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them. As demonstrated today, we will relentlessly pursue those who threaten the United States and its citizens.”

The indictment went into detail about a host of cyberattacks ranging from November 2015 through October 2019 that the Justice Department was formally blaming on Russian military intelligence.

Investigators said the Russians targeted Ukraine’s electric power industry and its financial services using BlackEnergy, KillDisk, and Industroyer malware in 2015 and 2016. The DOJ also said Russian hackers targeted the 2017 French elections, carrying out seven spear-phishing campaigns against numerous political entities, including over 100 members of now-President Emmanuel Macron’s En Marche political party. The Russians were also accused of being behind cyberattacks in 2019 against Georgia’s parliament.

The Justice Department further said that from December 2017 through February 2018, the Russians conducted spear-phishing campaigns targeting South Korean citizens and officials, Olympic athletes, and International Olympic Committee officials, and they also deployed the Olympic Destroyer malware against the Olympics, which, although some believed it had been carried out by the North Koreans, DOJ investigators said was an attack from Russia. The U.K. said Monday that Russian military intelligence also targeted the 2020 Summer Games, which had been scheduled to take place in Tokyo before being delayed due to the coronavirus pandemic.

Another Russian outfit, GRU Unit 29155, is believed to be behind the 2018 Novichok nerve-agent poisoning of former Russian military officer and British double agent Sergei Skripal and his daughter Yulia in the U.K. The Justice Department said Monday that Unit 74455 was involved in conducting spear-phishing campaigns targeting the poisoning investigations conducted by the Organisation for the Prohibition of Chemical Weapons and the U.K.’s Defence Science and Technology Laboratory.

The announcement comes amid a flurry of recent activity of the DOJ specifically naming foreign hackers, including indicting Chinese hackers in July and September for a host of global hacking schemes, charging Iranian hackers last month for targeting the U.S. as revenge for Iranian spy chief Qassem Soleimani’s death, and accusing Russian hackers of trying to steal coronavirus vaccine research this summer.

William Evanina, who leads the National Counterintelligence and Security Center, released an intelligence assessment in August that warned that Russia is “using a range of measures to primarily denigrate” Democratic presidential nominee Joe Biden, including that “pro-Russia Ukrainian parliamentarian Andriy Derkach is spreading claims about corruption — including through publicizing leaked phone calls — to undermine” the former vice president’s candidacy. The same statement said China “prefers” Trump not win reelection and is “expanding its influence efforts ahead of November 2020” in order to “pressure political figures it views as opposed to China’s interests.” The counterintelligence official also said Iran “seeks to undermine” Trump’s presidency.

“I would say that, generally, it is a warning — it’s a warning to these countries and the actors that are working for them that these activities are not quite as deniable as they might hope they were originally,” a DOJ official said after the Washington Examiner asked if the indictment was meant to warn foreign actors against targeting the U.S. election. “We can, as we’ve shown today and countless times before, unmask the individuals sitting on the keyboards who conducted this activity … I think you need to look at this case as part of a long-running effort to disrupt the GRU’s hacking activities and contest this space.”